Download as PDF, PPTX
Uploaded byDaniel Stenberg
libcurl, seven SSL libraries and one SSH library
This document summarizes Daniel Stenberg's presentation on libcurl and SSL/TLS libraries. It discusses libcurl, which has supported HTTPS since 1998 and now supports many protocols. It also discusses the seven main SSL/TLS libraries - OpenSSL, GnuTLS, NSS, qSSL, yaSSL, PolarSSL, and axTLS - comparing their pros, cons, features, and APIs. It describes how libcurl maintains support for all libraries through a common SSL API, and why there are relatively few SSH libraries, with libssh and libssh2 being the main ones.
More Related Content
Similar to libcurl, seven SSL libraries and one SSH library
libcurl, seven SSL libraries and one SSH library
- 1. libcurl, seven SSL libraries and one SSH library February 5th 2011
- 2. Daniel Stenberg ● Free Software ● Network hacker ● Embedded developer ● Consultant Email: daniel@haxx.se Twitter: @bagder Web: daniel.haxx.se Blog: daniel.haxx.se/blog
- 3. Agenda ● libcurl ● SSL/TLS libraries ● Why so many? ● Differences ● How? ● SSH libraries ● Why so few?
- 4. Questions? ● questions? ● remarks? ● interrupt!
- 5. general libcurl ● cURL since 1998 ● libcurl since 2000 ● today: DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP ● almost 40 bindings ● widely used ● MIT licensed
- 6. libcurl and SSL ● HTTPS support added 1998 (later ftpssl, smtps, imaps, pop3s) ● SSLeay …turned into OpenSSL ● GnuTLS added in 2005 ● YaSSL “support” 2006 ● NSS 2007 ● qssl 2007 ● PolarSSL 2010 ● axTLS 2010
- 7. Why so many? ● Software wants to use SSL ● Different set of requirements and demands ● Licensing ● What users/devs implement support for!
- 8. Let's compare ● 7 libraries ● what makes people select or reject each one? ● Caveats: I'm focused on client side, I'm but a user of them
- 9. OpenSSL Pro Con Established and License proven Documentation Many features Quirky API leaves CN and SAN verification to apps Big
- 10. GnuTLS Pro Con License License Documentation Less used Many features Big (TLS1.2, SRP, etc) Easy API
- 11. NSS Pro Con FIPS140 licensed DB vs file approach Many features too Firefoxfocused Documentation Big
- 12. qSSL Pro Con Runs on OS/400 Runs only on OS/400
- 13. yaSSL Pro Con License Not fully emulating OpenSSL Has an OpenSSL API Documentation Size? Less support and community
- 14. PolarSSL Pro Con License Documentation Size? Not widely tested Less support and community
- 15. axTLS Pro Con Very small TLS only License Not widely tested Less support and community
- 16. Or by feature ● GPL ● SRP ● TLS 1.2 ● SSLv2 ● FIPS140 ● Embedded focus ● Runs on Windows
- 17. How support them? ● started out as #ifdef maze ● turned into an internal API each lib needs to provide
- 18. an internal API curlssl_init() curlssl_cleanup() curlssl_connect() curlssl_connect_nonblocking() curlssl_session_free() curlssl_close_all() curlssl_close() curlssl_shutdown() curlssl_set_engine() curlssl_set_engine_default() curlssl_engines_list() curlssl_version(x,y) curlssl_data_pending(x,y)
- 19. curlssl curlssl_init() curlssl_cleanup() curlssl_connect() curlssl_connect_nonblocking() sets the recv() and send() curlssl_session_free() functions after successful curlssl_close_all() handshake curlssl_close() curlssl_shutdown() curlssl_set_engine() curlssl_set_engine_default() curlssl_engines_list() curlssl_version(x,y) curlssl_data_pending(x,y)
- 20. Maintain functionality ● hard ● test cases ● volunteerbased, nonstop distributed testing
- 21. SSH libraries ● only 2 (libssh and libssh2) ● SSH is a much less popular commodity protocol
- 22. picked libssh2 ● hand over socket to library ● nonblocking operations ● license
- 23. Summary ● Lots of SSL libs ● Very few SSH libs ● Support them all is lots of work
- 24.